Data Acquisition and Delivery

Use Case Description

High-speed, distributed computing environments present significant challenges to perform network-based
monitoring to identify file-based threats and data leakage exposures. Establishing complete visibility of all
files and associated objects to perform static and dynamic analysis as well as content inspection has become
increasingly difficult due to the continuing rise of network throughput.

Our Solution

InQuest has developed multiple native capture and analytical tools to network analysts can leverage to
improve visibility into the traffic passing through their network at speeds ranging from megabits to
multi-gigabit speeds. These tools and tools provided by third-party vendors are integrated into a platform
that allows these tools to be centrally managed and their results aggregated into an accessible reporting
format and an automatically generated threat score for the user.

To optimize use of the InQuest system, it is important to understand how data flows through the system and
how to best deploy it to meet organizational needs. Here, data flow through the InQuest framework is described
through the collection, analysis, and reporting phases.

Collection

The collection phase encompasses the original points of entry of different types of data into the InQuest
system. Data can be provided by InQuest, uploaded by clients, derived from traffic currently passing through
the network, analysis of past network traffic, or exchanged between InQuest users.

Network Monitoring

InQuest provides a Collector appliance designed to natively capture network traffic via a TAP or SPAN. The
Collector monitors all traffic passing through the network and reassembles/reconstructs it into aggregated
sessions for further analysis. These sessions are passed to the Artifact Extractor, which extracts embedded
files, connection information (domains, IPs, ports, URLs, etc.), and metadata (hashes, etc.) from the session.
By default, InQuest passes this information to several built-in post-processing functions. From there the
files and associated objects are then passed to several analytical InQuest Engines:

This information is then passed on to a threat scoring engine, which aggregate the results to generate a
threat score for the session.

RetroHunt Historic Threat Discovery Engine

InQuest also supports historical analysis of past traffic (set to two weeks by default). Using RetroHunt’s
retrospective analytical capabilities, traffic from the target date is scanned with the current signature set.
This allows threats that became public knowledge after the attack to be retrospectively identified and
handled.

InQuest Threat Exchange

The InQuest Threat Exchange is an opt-in cloud-based forum for information sharing between network defenders.
Analysts can upload or download information on IP addresses, domains, URLs, and file hashes, which can be used
in the automatic generation of threat scores.

Analysis

The analysis phase consists of deriving further information from artifacts already inside the InQuest system.
Primarily, this focuses on analysis of files by sandboxes, automated malware analysis engines, and recursive
file dissection. File hashes can also be uploaded to cloud-based reputation databases to determine if they
represent a known threat.

Sandboxes and Automated Malware Analysis Engines

InQuest provides the ability to integrate several sandboxes and automated malware analysis engines.
Possibilities include Cuckoo Sandbox, FireEye, Joe Sandbox, VxStream Sandbox. These tools perform in-depth,
dynamic analysis of malware in a controlled environment, extracting characteristics that may be hidden from
static analysis of the files. Tools can be configured to be enabled, disabled, or only to run for certain
filetypes. Results are automatically fed into the InQuest Threat Score Engine for score calculation and
assignment.

Malware Scanning

OPSWAT Metadefender core is a hardware appliance that uses multiple malware engines to scan files. This tool
can be integrated into InQuest and have files automatically submitted to it through the data acquisition that
the InQuest Collector provides. The results of these malware engines is then passed to the InQuest Threat
Score Engine for score calculation and assignment.

InQuest MultiAV and VirusTotal

InQuest MultiAV and VirusTotal allow users to submit the hash of a suspicious file and receive information on
the file’s reputation and other metadata. The InQuest Threat Score Engine allows users to automatically pull
data from one or the two and incorporate it into the generated threat scores.

Recursive File Dissection

InQuest has developed a file dissection engine designed to remove wrappings and obfuscations designed to
conceal malware and useful intelligence information (IP addresses, domains, etc.). File dissection occurs
recursively, with each level of extracted content passed through the analysis engines mentioned in previous
sections to determine if they are a threat. If an embedded component is identified as a potential threat, the
parent file is labeled as a threat as well.

Reporting

Rather than force an analyst to review the results of several systems to derive a complete picture about a
suspicious artifact, InQuest automatically runs the appropriate analysis tools (based on user configurations)
and calculates a threat score for each network session and file passing through the network perimeter.

The InQuest User Interface provides a user-friendly method of accessing the reports generated for any session
or file. The results of each analysis tool are collected on a single page along with the aggregate threat
score. Users can also perform database queries to explore relationships or drill more deeply into an
identified threat.

N-Day Attack Coverage

Use Case Description

N-Day threats are the most commonly used attacks targeting both the private and public sectors. The first
step in defending a system against a known attack is defining the threat. Once malicious traffic can be
reliably identified, it can be detected and/or prevented.

Our Solution

InQuest provides two methods for adding threat signatures to the database: automated and user-defined.

Malware Signature Development

The first step in defending a system against an attack is defining the threat. Once malicious traffic can be
reliably identified, it can be located and removed on the system. InQuest provides two methods for adding
threat signatures to the database: automated and user-defined.

Inquest Automated Updates

One service that InQuest provides to its users is an automated feed of code, signature, and intelligence
content through InQuest Automatic Cloud Updates. InQuest’s intelligence originates from internal experience
derived from daily real-world attack prevention, private partnerships with Exodus Intelligence and other
research organizations, and public intelligence collected and aggregated using web crawlers from public
sources into a single database. Based upon this intelligence, InQuest develops signatures of emerging threats
and provides them via Automated Updates to protect their clients’ networks.

InQuest signature packs are also available to their clients for manual upload. This provides clients within
restricted environments the ability to perform necessary security checks prior to importing them into their
systems.

User-Defined Signatures

InQuest provides their clients’ internal security teams with the ability to define signatures for threats
targeting their organizations. Through the User Interface, an administrator can add, enable, and disable
policies to tune the InQuest system to the needs of their environment.

Inquest MultiAV, Threat Exchange, and VirusTotal Integrations

InQuest provides multiple methods by which an analyst can gather information regarding suspicious traffic
passing through their computing environments. InQuest MultiAV is a cloud-based hash analysis engine. By
providing the hash of a suspected file, analysts can determine whether or not the file in question is known to
be malicious. InQuest also offers integrations with VirusTotal’s cloud-based API, which allows antivirus
reports to be retrieved based on the hash of a file.

InQuest Threat Exchange allows analysts to communicate with the InQuest cloud-based threat score database to
request and provide information regarding suspicious IP addresses, domains, URLs, and file hashes. During a
distributed attack, this allows analysis at various InQuest client sites to pool their information and respond
more rapidly to the threat.

Reviewing Past Events in RetroHunt

InQuest provides the ability to retrospectively analyze past network traffic and files using the RetroHunt
functionality. When dealing with an attack using a new signature, it’s important to scan past traffic to
determine if the network has been previously attacked and potentially infected. Using RetroHunt, hidden
threats within the network can be identified and mitigated.

Threat Actor Infrastructure Detection

Use Case Description

Threat actors often use a variety of command-and-control servers to evade detection and improve resiliency of
their attack campaigns. Attacks with a single point of failure (like WannaCry’s kill switch) run the risk of
having this point identified and disabled, bringing the lifespan of an attack campaign to an abrupt end. Use
of a single set of command-and-control nodes also runs the risk of an accidental denial of service (DOS) of
these servers by a highly successful attack campaign. For these reasons, threat actors often use multiple
command-and-control servers to distribute and communicate with their malware.

Identification of the infrastructure used by a threat actor in an attack is valuable to a network defender
for many reasons. If all of the communication channels used by malware are identified and blocked, the threat
posed by the malware is essentially eliminated. Identification and correlation of command-and-control servers
used by multiple attack campaigns suggests a link between them, which may aid in analysis and accelerate
deployment of appropriate defensive countermeasures.

Our Solution

InQuest has developed and integrated many in-house and third-party solutions for the discovery, detection and
prevention of threat actor infrastructure. Several of these tools are useful in the identification and
correlation of components of threat actor infrastructure used in various attack campaigns. Through the
extensive research methodologies of InQuest Labs, they have been able to identify and mitigate malware
campaigns designed to leverage threat actor infrastructure stood up specifically for the targeting of their
clients.

Real-Time Network Traffic Monitoring

InQuest provides real-time monitoring of network traffic passing through the protected network perimeter
through the use of a Collector passively collecting traffic via a TAP or SPAN. Sessions are reconstructed and
analyzed using several proprietary InQuest native capture tools.

Automated Signature Scanning

InQuest provides their clients with the capability to import InQuest Labs provided signatures either manually
or automatically. Users are also able to define and upload their own signatures and enable or disable them via
Policy definition to meet their needs. The InQuest Threat Discovery Engine (TDE) uses these signatures to
identify malware entering the network, providing a starting point for mapping a threat actor’s attack
infrastructure.

DNS monitoring for known bad domains

Included in InQuest’s feed packs is a list of currently known malicious domains scraped from a variety of
internal, private, and public sources. Each DNS request made from within a protected network is checked
against this list and an alert is raised in the event of a match. Identification of an infected machine allows
analysts to identify the malware and infection vector of the machine and analyze this data for further clues
about the threat actor’s operations (IP addresses, domains, etc.).

InQuest Artifact Extractor

InQuest Collectors include a built-in network traffic artifact extraction engine which extracts metadata from
network sessions passing through the network perimeter. This metadata includes IP addresses, URLs, domains,
files, and file hashes and can be invaluable in identifying and associating various malicious content and
different aspects of the same attack campaign.

Recursive File Dissection

InQuest has developed a recursive file dissection engine designed to unwrap the layers of obfuscation
employed by hackers to mask and protect their malicious code. Hackers do not wish for their malicious content
to be commonly known (since they would be promptly added to blacklists), so they often hide this information
within files and/or objects in a variety of ways, forcing analysts to spend valuable time verifying that they
have identified all of the infrastructure that the malware may contact. InQuest’s file dissection engine
automatically unravels the protections placed around this information, accelerating the pace at which the
threat actor’s infrastructure is identified and mitigated.

Sandboxes and Automated Malware Analysis Engines

InQuest provides seamless integration of multiple third-party sandboxes and automated malware analysis
engines, including Cuckoo Sandbox, Joe Sandbox, VxStream Sandbox, and FireEye. These tools are valuable for
extracting hidden information from malware. They allow the malware to execute in a protected environment and
identify files, domains and IPs that the malware attempts to contact. This intelligence can be correlated with
information gained from other sources to provide greater visibility into a threat actor’s infrastructure.

InQuest Automatic Updates

InQuest collects threat intelligence from a variety of sources. Internally, experience from dealing with
real-world attacks on a daily basis provides knowledge regarding current attack trends. Private information is
shared through a network of partnerships with Exodus Intelligence and other research organizations. Public
information is collected and aggregated through crawlers that search public intelligence repositories. This
information is available to InQuest clients via InQuest Automatic Updates. These code, signature, and
intelligence updates from the InQuest cloud are available for manual download as well.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based forum for collaboration between InQuest clients across the
globe. This cloud-based threat score database stores information regarding suspicious IP addresses, domains,
files, and hashes and enables defenders to collaborate to quickly build a map of the infrastructure supporting
a given attack.

InQuest User Interface

InQuest is designed to simplify the network defender’s experience. The InQuest User Interface (UI) provides a
high degree of control to the user and powerful search and data correlation capabilities. Behind the scenes,
every network session passing the network boundary is analyzed and labeled with a threat score. Once an
indicator of an attack campaign is identified (a file, URL, domain name, etc.), the UI can be used to identify
related information and trigger and access the results of integrated tools. Signatures based on extracted
information can be easily defined and scanned against within the UI. The UI also allows scanning in RetroHunt
mode to detect attacks performed before signatures had been developed.

Zero-Day Attack Coverage

Use Case Description

Intrusion detection and prevention systems largely identify threats to a network by matching against
signatures of known attacks, which is largely ineffective against zero-day attacks. InQuest leverages
partnerships, in-house capabilities, and third-party tools to build a comprehensive picture of potential
threats passing through a protected network boundary. Using this information, a threat score is automatically
applied to all network session and probable threats are highlighted to analysts, allowing rapid detection,
triage, and remediation of network threats.

This Use Case describes the threat detection and alerting functionality provided by InQuest and how it can be
applied to the detection of zero-day threats entering a protected network.

Our Solution

InQuest draws from a variety of intelligence sources, shares this intel with the users through manual or
automatic updates, and provides a plethora of information via the InQuest User Interface for discovery and
analysis of zero-day threats.

InQuest Intelligence Sources

InQuest collects intelligence from a variety of internal, private, and public sources. Internally, InQuest
uses hands-on experience gained from dealing with daily, real-world attacks to identify, triage, and develop
signature for malware. InQuest partners closely with Exodus Intelligence and collaborates with other research
organizations. Using web crawlers and aggregation tools, InQuest collects data from a variety of public
sources into a single database. These data feeds are integrated to provide InQuest with a comprehensive view
of potentially new or unknown threats targeting their clients.

InQuest Automated Updates

InQuest offers an optional, automated update service, providing code, signature, and intelligence updates. By
enabling this service, InQuest systems can be kept up-to-date on the current threats that they may face and
provide protection against attacks evolving in real time.

Automated Threat Scoring and Alerting

InQuest provides a variety of built-in and integrated solutions for assigning threat levels to network
traffic passing through the perimeter of a protected network. Here, details of tools helpful in the detection
of zero-day attacks and methods for accessing the results of these tools will be displayed.

Known Malicious DNS Domain Monitoring

It is not uncommon for malware authors to use the same command-and-control or download servers for a variety
of malware campaigns. InQuest provides an automated monitoring service for any resolution attempt of known
malicious domains. If a new malware variant uses known command-and-control or download servers, an alert will
be generated for the malicious traffic, allowing a network administrator to shut down even zero-day attack
traffic.

InQuest URL Analyzer

InQuest provides an integrated URL analysis engine. Based upon the structure of observed URLs, the URL
Analyzer determines the probability that traffic is malicious. Even if a zero-day attack uses unknown
command-and-control or download servers, if the URL shares common properties with other malicious sites, an
alert will be raised to draw attention to the suspicious traffic.

InQuest File Analyzer

Malware authors commonly embed malicious code within a benign file in order to increase the probability that
it will be able to enter the network perimeter and entice users to execute the malicious functionality. It is
not uncommon for a zero-day attack to include some previously-known malicious code (for example, a new exploit
that installs a common malware backdoor or downloader). InQuest’s file dissection engine recursively unwraps
the levels of obfuscation around malicious code and tests each level using best-in-breed, third-party analysis
tools, maximizing the probability that even a zero-day attack will be detected when entering the protected
network.

SIEM Integration

InQuest offers seamless integration with several third-party tools to provide robust antivirus, sandboxing,
reputation checking, and automated malware analysis capabilities. While not enabled by default, the following
tools can be painlessly configured to improve detection of even zero-day attacks:

VirusTotal: Online service used to look up AV reports for known-bad hashes.

InQuest User Interface

Based upon the information gathered by InQuest’s built-in and integration threat analysis capabilities, the
system automatically generates a threat score for each session and file entering or leaving the network. These
threat scores are displayed via the InQuest User Interface (UI), which highlights probable threats against the
protected network. The UI also supports a wide range of queries against collected data, allowing an analyst to
explore relationships and extract details regarding threats against their network.

Sandbox Integration for Dynamic File Analysis

Use Case Description

Information about the capabilities and communication paths used by a malware sample is invaluable for
removing an infection and developing usable indicators of compromise for network detection. Malware authors
commonly attempt to conceal this information, making static analysis of a sample to extract indicators
extremely time consuming and resource intensive.

Through execution of malware on a target system, these indicators can be easily collected through observation
of the effects of the malware on the system and host network. Multiple vendors have developed sandbox systems
to allow dynamic analysis of files and objects in a contained environment.

Our Solution

To provide InQuest users with the best possible information about suspicious samples, InQuest has provided
built-in integrations for several of the best and most popular sandbox solutions, including Cuckoo, FireEye,
Joe, and VxStream sandboxes.

Cuckoo Sandbox

Cuckoo Sandbox is an open-source dynamic malware analysis engine. It performs API call tracing and can be
used in conjunction with Volatility for analysis of the memory space of malicious processes. It includes
support for Windows, Linux, Mac, and Android.

InQuest interfaces with Cuckoo Sandbox via the Cuckoo Sandbox API. Once an instance of Cuckoo Sandbox is set
up and running, the administrator can set the hostname or IP and port of the Cuckoo Sandbox API and whether or
not to use global proxy settings. Administrators can also configure InQuest so that files are submitted
automatically to Cuckoo Sandbox and if an alert should be generated from Cuckoo those results are returned to
InQuest for Threat Score consumption.

FireEye

FireEye provides a hardware appliance that acts as a sandbox for dynamic analysis of suspicious files. The
FireEye sandbox monitors from system level changes to file systems, memory, and registries by the operating
system or installed applications. Using the FireEye Multi-Vector Virtual Execution (MVX) engine, FireEye
executes code through the entire attack chain to provide a more comprehensive view of its capabilities.
Network traffic generated by the sample is captured to allow analysis of URLs and embedded code. The FireEye
appliance supports Windows and Mac.

Integration of a FireEye appliance requires an administrator to specify the API URL and proxy settings and
uses a username/password authentication scheme. Users can specify the operating system to be emulated
(defaults to Windows XP SP 3), whether files should be submitted automatically to the appliance for analysis,
and whether an alert should be generated when a report is received from the appliance.

Integration of Joe Sandbox requires a Joe Sandbox API key and appropriate proxy settings. Administrators can
also specify whether files should be submitted automatically and whether an alert should be generated when a
report is received.

VxStream Sandbox

The VxStream Sandbox is an automated malware analysis system developed by Payload Security (which was
acquired by Crowdstrike). It analyzes runtime behavior and the memory space of malicious processes. VxStream
Sandbox also extracts strings and API calls from analyzed malware. Support for defeating common anti-VM
techniques and kernel-mode monitoring (to conceal itself from user-mode malware) is also included.

VxStream Sandbox communicates over the tool’s API and requires setting the host URL and proxy settings, but
it also requires an authentication key and authentication secret for the API. The environment variables for
running samples in VxStream can also be configured. VxStream can also be set to run automatically for each
file and to generate an alert when results are received.

Identify Malware Through Automated Dissection and Inspection

Use Case Description

A significant challenge for malware authors is how to actually deliver their malware through perimeter
network defenses and entice a user to execute it on their system. Many network-based intrusion detection
and/or prevention systems are signature-based and will alert and/or block known malware from successfully
entering a network. In addition to the perimeter defenses, the continuing rise of security awareness through
user training has made it increasingly challenging to entice a user to open a file that has been sent to them
from an untrusted source. In order to overcome these challenges, malware authors use a variety of tactics and
techniques such as compression, encoding, and obfuscation to evade detection.

Our Solution

InQuest’s platform represents a next generation solution for detecting and stopping malware. Our components
are designed to peel back the layers used by threat actors to disguise their activity and to reveal the
malware hidden within. InQuest’s threat detection solution locates these frequently disguised malicious
applications and unmasks them through automated post-processing. By thoroughly dissecting and inspecting
session data and file content the solution provides you with a robust resource for identifying and thwarting
sophisticated attackers.

InQuest scrutinizes files downloaded over the web or received via email to detect malicious code in-transit.
We apply innovative post-processing techniques to live monitored network traffic which enables us to provide
insights from even the most cleverly masked malware. Additionally, integrations are available for a number of
antivirus and sandbox technologies that serve as complementary functions to InQuest’s analytics. Here, each
stage of the process will be explained along with information about how you can set up InQuest to protect your
network against these types of evolving threats.

Data Collection

The InQuest Collector is designed to identify and display network sessions and associated files and objects
that are entering and leaving your network regardless of whether or not they are malicious. By allowing a
Collector to natively capture your network traffic via a network TAP or SPAN, all files entering and leaving
your network are reconstructed from the network streams and retained for further inspection. Network traffic
saved as a pcap as well as raw files can also be fed to the Collector or Manager for offline traffic analysis
and content inspection.

File & Object Dissection

InQuest has developed a post-processing layer that parses common file types and identifies locations where
other files or code can be embedded within the file that was originally captured. For example, Microsoft
Office documents can include VBScript encoding macro functionality. Additionally, support is available for
decompressing common archive file formats (zip, gzip, etc.), decompiling byte code, reversing common encodings
and stripping other methods of obfuscation.

InQuest identifies embedded content within a file and recursively dissects files to find hidden content that
could potentially be malicious. Each piece of extracted content is passed back through InQuest’s Threat
Discovery Engine (TDE) in order to identify embedded malware.

Analyze

Rather than attempting to reinvent the wheel, InQuest is designed to integrate best-of-breed in-house and
third-party solutions for sandboxing, antivirus, and feature-based file reputation lookups. These types of
integrations consist of the following:

VirusTotal: Online service used to look up AV reports for known-bad hashes.

InQuest is designed to make the integration of these products painless for the administrator to configure and
the operator to monitor. Operators can specify which products should be used and which filetypes should be
analyzed by each of the respective static and dynamic analysis systems.

Alert

Using the output of the analysis stage, the InQuest User Interface (UI) calculates and displays a threat
score as well as the events that were generated for each network session and its associated files. Analysis
results and metadata regarding the session as well as the file are also provided to give an intrusion analysis
or incident responder a complete picture of the incident.

Support for the Consumption of Numerous Data, File and Protocol Formats

Use Case Description

Malware can be embedded in a variety of different files and formats. In many cases, commercial-off-the-shelf
(COTS) security products are incapable of scanning and supporting all relevant file and protocol formats when
inspecting data in-transit leaving you blind to the potential threats.

Our Solution

InQuest systems support a wide array of file formats and have special processing routines designed to extract
the data that can be concealed within each one. Here, the intended and malicious functionality of different
types of files are highlighted and a sample of the relevant file types that InQuest supports are listed.

Compressed Files

File compression is intended to allow files to be stored or transmitted in a format that requires less memory
than their standard structure. This functionality is often leveraged by hackers to conceal malicious
functionality as a signature of an uncompressed file will not match the compressed version of the file.
InQuest natively supports decompression of a variety of common compressed file types including the following:

7z

AR

ARC

ARJ

BZIP2

CAB

COMPRESS

CPIO

DEB

FLAC

GZIP

ISO

LZMA

RAR

RPM

TAR

XZ

ZIP

Document Files

Document files include Microsoft Office file formats, Portable Document Format (PDF) files and similar. These
files can contain embedded malicious code that the visible contents of the document encourage the user to
execute. For example. Microsoft Office documents support the use of macros which, if executed, have the
ability to install malware on the user’s machine. PDF readers have historically contained vulnerabilities that
allow malicious code to execute if the document is even opened. InQuest supports a variety of common document
formats and identify and extract embedded content for further analysis. Supported file types include, but are
not limited to, the following:

DOC

DOCM

DOCX

PDF

PPS

PPSM

PPT

PPTM

PPTX

XLS

XLSM

XLSX

Executable Files

The Portable Executable (PE) format is a data structure specifically built to support Windows operating
environments to load and manage the executable code. An unexpected executable entering the network perimeter
is always a cause for suspicion since they are designed to be lightweight and trivial to execute. Executable
file types vary based upon the base operating system. A sample of the ones supported by InQuest include the
following:

EXE

DLL

Flash Files

Flash files provide animation and video capabilities to applications, web pages, etc. Since code is needed to
execute the video, it is possible to create a malicious Flash file consisting of the actual video and some
code that runs in the background. InQuest systems search for embedded code in Flash files and support the
following formats:

FLA

FLV

SWF

Script Files

Script files are files containing code intended to be executed within a certain environment. On the web, PHP
and JavaScript are commonly used scripting languages. Microsoft Office documents support Visual Basic for
Applications (VBA) scripting to allow the automation of repetitive tasks. Execution of untrusted script files
is dangerous as they have the ability to install malware on the affected computer. InQuest natively supports
many scripting filetypes including the following:

JS

PHP

PL

VBA

SIEM Integration

Use Case Description

Security software that doesn’t effectively communicate or integrate with other solutions in your environment
can leave significant gaps in your overall coverage. When security incidents or events occur, this information
needs to be rapidly communicated to your SOC staff so they can take action. As a result, robust SIEM
integration is an essential component of all Security Operations.

Our Solution

InQuest’s software offers a number of strategic integrations to provide a comprehensive security solution. We
are not shy about leveraging the ability of other vendors to improve the coverage our solution offers. InQuest
currently has integrations with OPSWAT, VirusTotal, FireEye, Joe, Cuckoo, VMRay, ArcSight, Splunk, and more.
Users have the ability to interface with all of InQuest’s data and backend functionality through numerous SIEM
integrations.

We have a deep familiarity with integration points and that enables us to maximize the value of our SIEM
integrations through either a push or pull data ingest. InQuest uses its analysis engine in combination with
active integrations to provide a single, intelligently weighed, easily digestible threat score which is easily
made available to all third-party SIEM solutions.

Identify Command-and-Control Communications

Use Case Description

Malicious software often seeks to gain control of your systems and establish command-and-control
communications to initiate processes such as exfiltrating valuable data. If a zero-day exploit has been used,
there is typically no signature that can be utilized to identify the exploit and stop it before it compromises
your systems. Detecting anomalous command-and-control communications is key to dealing with attacks of this
type to provide your SOC staff with the information they need to quickly deal with the compromise.

Our Solution

InQuest’s platform constantly monitors command and control (C2) communications (DNS and IP) for signs of
anomalous activity. Keeping abreast of the latest C2 nodes through threat intelligence is key for detecting
this activity. Our C2 detection engine alerts you if any of those nodes are seen touching your network, so we
not only focus on what is being said but also who is saying it. The InQuest Labs Team publishes daily updates
of known C2 IP addresses and domains globally which are then flagged in our UI for further investigation.

Malware Hunting & Retrohunting

Use Case Description

Identification of malware present within a network is the first step to containing and eradicating an
infection. If malware can be identified at the perimeter, it can be blocked from entering the network at all,
ultimately eliminating the threat of an infection. However, if malware manages to enter and execute on a
network, the infection can spread as well as take action to conceal itself and increase the difficulty of
removal.

Our Solution

The InQuest platform provides powerful functionality to network defenders hunting for the presence of malware
on their networks. In this section, we describe the features relating to the identification of malware,
extraction of unique characteristics, and performing real-time and historical searches for artifacts matching
these or similar characteristics to identify malware on the network.

Identification

InQuest is capable providing network protection at various strategic positions within your network. This can
be achieved either in real-time through the deployment of a Collector off of a network TAP or SPAN to perform
native network traffic capture or after the fact using file and/or packet capture upload capabilities manually
through our UI or programmatically through our APIs. This network traffic is reassembled and reconstructed by
InQuest into artifacts (Session information, Files, Objects, etc.) which are then analyzed to detect
indications of malware.

InQuest Automatic Updates

InQuest provides the option to customers to subscribe to automatic updates from InQuest Labs. These updates
include code updates, intelligence information, and signature packages for detecting recent threats. Updates
are also available for manual upload to InQuest systems. InQuest labs collects data from internal research and
experience, private partnerships, and crawling of public repositories and collates it to provide customers
with a comprehensive view of the current threat landscape.

Enabling automatic updates maximizes the probability that InQuest will alert on malware entering a protected
network, allowing defenders to react rapidly to a potential infection. If an infection is detected or
suspected on a host, upload of a packet capture of the host’s traffic to the InQuest system enables scanning
the traffic for indicators of known malware variants. This provides a jumping-off point for a malware hunting
operation.

InQuest Blacklisting

In addition to the static analysis that InQuest performs, InQuest also provides the ability to blacklist file
hashes. Checks against this blacklist are automatically performed on InQuest systems for all files captured
and this aids in the detection of malware variants that have been previously identified but may otherwise go
undetected.

InQuest URL Analyzer

Certain characteristics of a URL may indicate that a given domain is a command-and-control node or a drive-by
download server. InQuest systems perform URL analysis and generate alerts when internal computers request URLs
that appear suspicious or potentially malicious. Reviewing these alerts allows an analyst to identify
computers that warrant a more in-depth analysis.

Artifact Characteristic Extraction

Once potential malware is identified on the network, any information that can be extracted from the sample
can be valuable in determining the scope of the infection on the network. Properly classifying the malware can
confirm that it is malicious and provide insight in regards to its potential capabilities. In-depth analysis
can provide indicators to aid in identification of malicious traffic, related malware, and artifacts left on
the infected system.

InQuest provides several tools and available integrations to aid in extracting actionable data from collected
malware samples. Available tools are a mix of InQuest-developed programs and third-party vendor software. The
applications of these tools to malware hunting is described in this section.

Recursive File Dissection

InQuest has developed a proprietary file dissection utility. Malware authors commonly compress, encode,
obfuscate, and embed their malicious code and data within other files in order to avoid scrutiny and detection
by network defenders and antivirus engines. InQuest’s tool performs recursive file dissection, extracting each
piece of hidden content and submitting it to other post-processing utilities and back to itself to provide a
comprehensive view of the content within a suspect file.

The information most valuable to malware hunters (dropped files, executable names, command-and-control nodes
and IP addresses, etc.) is exactly what malware authors work the hardest to conceal. InQuest’s file dissection
utility automatically locates and extracts this hidden information, making it readily available to analysts.

External Integrations

The InQuest Platform enables a user to leverage the capabilities of a variety of InQuest-developed and
third-party vendor tools for analysis of files and objects captured on the network. Several sandboxes,
automated malware analysis engines, antivirus engines, and file analysis engines can be painlessly integrated
with InQuest to provide best-in-breed capabilities in all aspects of file analysis.

Sandboxes and Dynamic File Analysis Tools

InQuest systems provide seamless integration with a variety of third-party vendor solutions for automated
dynamic analysis and characteristic extraction of files. Available tools include Cuckoo Sandbox, FireEye, Joe
Sandbox, and VxStream Sandbox. Integration with these tools provides a malware hunter with a wealth of
information regarding the behavioral characteristics of a suspected malware sample.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based database for InQuest clients to exchange information on
suspicious IP addresses, domains, URLs, and file hashes. With this component enabled on the local InQuest
deployment, automated checks are performed against the Threat Exchange database to determine if network and/or
file artifacts have been previously identified as suspicious and/or malicious.

OPSWAT Metadefender Core

OPSWAT Metadefender Core is a hardware appliance that automatically scans a suspicious file using over thirty
different antivirus engines. This scanning allows a malware hunter to proceed with confidence that a given
sample is or is not a known threat and provides classification information regarding the malware family and
its associated capabilities.

InQuest MultiAV

InQuest MultiAV is a cloud-based hash analysis engine. With this component enabled on the local InQuest
deployment, automatic hash checks are performed against the cloud-based database providing users with
information regarding the probable maliciousness of the file.

VirusTotal

VirusTotal is an online repository of data regarding suspicious files, URLs, and IP addresses. By searching
for a certain hash, users can access results from many antivirus engines, behavioral information from dynamic
analysis of the malware, and other users’ comments and notes on the malware. VirusTotal is integrated with
InQuest to provide users with the ability to programmatically access VirusTotal’s data through their API.

User-Defined Signature Development

Beyond the InQuest-developed signatures provided via InQuest Automated Updates, InQuest empowers their users
with the ability to define their own signatures in YARA format. Signatures can be directly entered or added in
batches via a file upload option within the UI. Users also have the ability to set the confidence and severity
of a signature (or batch uploaded via file upload) and to enable or disable certain signatures for scanning.
Once the signature or signatures are defined, the users will have the ability to perform a RetroHunt using the
newly defined signature against a configurable timeframe of historical data.

InQuest User Interface

The InQuest system provides a robust and user-friendly User Interface (UI) to aid analysts in network
monitoring and threat hunting. Each network session and file captured by InQuest is automatically assigned a
threat score based upon the output of the enabled post-processing tools and integrations. These threat score
and tool outputs are available to the user via an intuitive interface. Malware hunters can also perform
queries on the database to explore relationships between different sessions or files or to drill down into a
suspicious incident.

RetroHunt Retrospective Analysis

InQuest also provides analysts with the ability to perform threat discovery on past network traffic via the
RetroHunt Historic Threat Discovery Engine (TDE). By default, the RetroHunt TDE automatically performs
RetroHunts or retrospective analysis across the past 14 days (configurable) of captured data (files, sessions,
etc.). All of the enabled post-processing operations are applied to the historic traffic in RetroHunt mode
using the most recent signature sets. This allows previously undiscovered/unidentified malware in-transit to
be identified and analyzed.

Import YARA Signatures

Use Case Description

YARA is a tool developed to assist in the identification and classification of malware. It performs pattern
matching against file content using a wide range of strings and/or regular expressions with varying
conditions.

Our Solution

The InQuest platform allows for the manual or automated import of YARA signatures either programmatically or
directly through the InQuest User Interface (UI) via manual input or csv import.

Multi-Scanning Engine Integration for Malware Detection

Use Case Description

Traditional AV solutions may not be able to detect all of the ever-increasing variants of malware in action
at any one time. Additionally, different security software products may specialize in various types of malware
identification. To mount a comprehensive defense, an approach that allows for multi-scanning across various
engines is essential.

Our Solution

InQuest uses innovative post-processing techniques to monitor live network traffic, enabling our platform to
provide insights into even the most creative combinations of obfuscation. InQuest combines its scrutiny of raw
network data with proprietary security checks, giving you the ability to integrate it with your existing
security infrastructure. Integrations are currently available for a variety of antivirus and sandbox
technologies that work in a complementary capacity with InQuest’s platform. This enables multi-engine scanning
of all files in-transit on your network for potential security issues.

Most modern anti-malware solutions have limitations when it comes to the detection, inspection, and
mitigation of embedded file content. This results from the tendency of malware to be nested in multiple layers
of an application, making its detection extremely difficult. InQuest’s platform enables users to create and
apply custom static analysis signatures leveraging the same performance and deep analytics benefits as the
rest of the platform. This allows for multi-engine scanning using the latest information about emerging
malware threats.

In addition to the onboard, multi-scanning that InQuest provides from numerous Threat Discovery Engines, we
also have an external integration with OPSWAT’s Advanced Threat Prevention Platform. OPSWAT pioneered the
concept of combining the scanning results of multiple antiviruses to produce a more accurate determination of
the probability that a given file is malicious. The OPSWAT Metadefender Platform is a hardware appliance that
scans a file using over thirty major antivirus engines to maximize the probability that known malware is
correctly identified. Integrated antiviruses include AVG, AhnLab, Avira, Bitdefender, ESET, IKARUS, K7,
nProtect, and Zillya!.

InQuest systems allow a Metadefender appliance to be seamlessly integrated into the Threat Detection Engine,
allowing users to confidently determine if a file entering the network is malicious. Integration requires an
administrator providing an API key, IP address, port number, a syslog IP address and port, the API URL, and a
timezone offset.

Multitenancy Support

Use Case Description

Multitenancy or Multiple Tenant Support is when a system is capable of supporting the independent management
of multiple disparate entities, groups or organizations within a shared computing environment. Common examples
of Multitenant environments would be that of larger enterprises with numerous business units such as Managed
Security Service Providers (MSSPs), Government Organizations, etc.

Our Solution

InQuest provides support for multiple organizations to share the resources of a single InQuest deployment.
InQuest devices can be configured so that their customers’ data, policies, permissions, and users can be
logically separated and managed using shared resources. This allows organizations to pool their resources to
achieve protection beyond the capabilities of their individual resources while maintaining complete control
over their data and users as well as how their policy is enforced against their Areas of Responsibility.

Data Loss Prevention (DLP)

Use Case Description

With the recent explosion of data breach reports, data loss prevention (DLP) has become an area of focus for
many organizations. If an attacker gains access to a protected network and begins exfiltrating sensitive
information, the longer the breach goes undetected, the greater the damage to the organization. To evade
detection of data leaks, hackers commonly obfuscate and embed stolen data within benign files and network
flows. It is essential that data exfiltration be detected as soon as possible to minimize financial,
reputational, and intellectual property damage and exposure.

Our Solution

The InQuest platform provides functionality that empowers analysts with the ability to easily and efficiently
identify data exfiltration across their network boundaries. The InQuest solution to Data Leakage consists of
four main steps: Observe, Dissect, Identify, and Alert.

Observe

The InQuest Collector can be deployed off a TAP or SPAN to collect all traffic passing through the network
boundary of a protected network. As traffic passes through the network boundary, the Collector captures it and
reassembles network sessions from the captured packets. Once reconstructed, these sessions are passed on to
InQuest’s post-processing modules for dissection and analysis.

Dissect

InQuest has developed proprietary dissection technology capable of processing the most common file types.
This technology automatically identifies where data can be hidden within these file types. The file dissection
utility natively supports a variety of compression, encoding, and obfuscation techniques and automatically
extracts embedded and obfuscated data hidden in files for further analysis. File dissection and
post-processing are run recursively so that each extracted piece of hidden content is analyzed. This provides
protection against attackers using multiple levels of obfuscation to conceal data and guarantees that all
concealed content is exposed for analysis.

Identify

Once dissection is complete, each piece of revealed data is tested against the full signature library of the
InQuest system. In addition to the Data Leakage signatures provided by InQuest Labs, customers also have the
ability to define and deploy custom signatures based on their specific needs for detecting sensitive data
in-transit. This enables analysts to quickly identify and pinpoint the location of an attempted data
exfiltration crossing their network boundaries.

User-defined signatures can be defined based on proprietary, sensitive, etc information known only to the
internal organization. Simple signatures may alert on the detection of common markings for documents
containing sensitive information (“SECRET”, “PROPRIETARY”, etc.). Other potential signatures may include
account credentials, Social Security Numbers or other types of Personally Identifiable Information (PII). The
possibilities are endless and can be tailored to meet the needs of a particular organization.

Alert

InQuest provides an intuitive and powerful user interface to enable analysts to quickly access data passing
through their network. Automated alerting functionality will notify an analyst if any of the currently defined
Data Leakage signatures have triggered, what their associated data exposure levels are and provide immediate
access to the associated network sessions, files, and post-processing tool results.

The Inquest User Interface also provides powerful search and query functionality against all of the data
observed passing through the network boundary as well as the results of analysis engines. This can be used in
the development and testing of new signatures to explore relationships among data and alerts and to determine
the possible impact of a detected breach.

Machine Learning Assisted Threat Detection

Use Case Description

Sometimes, no matter how broad of a net is cast with heuristics, signatures just aren’t enough to capture all
malware. Machine learning provides an adaptive solution to these elusive corner cases. By learning from their
mistakes, ML classifiers are able to tightly fill the cracks in a system’s armor.

Our Solution

InQuest’s proprietary machine learning software is built out of four well-vetted classifiers, and uses
previously collected data on malicious and benign content to automatically discover patterns that might be
left uncovered by signatures. On a weekly basis, models constructed from our ML algorithms are updated with
the latest information from previously processed network traffic.

ICAP Integration

Use Case Description

Web traffic makes up the vast majority of network traffic entering and leaving a corporate network. ICAP (the
Internet Content Adaptation Protocol) provides a mechanism for web proxies to present web traffic for
inspection and modification. A corporate environment could combine its existing proxy infrastructure with an
ICAP provider to detect outbound data leakage, inbound threats, command and control traffic for existing
malicious software, and policy enforcement.

Our Solution

The InQuest platform includes a comprehensive ICAP solution that provides data leakage prevention, threat
blocking, and command and control detection.

Data Leakage Prevention

The InQuest ICAP server inspects all outbound web traffic. If data leakage is detected, the request is
blocked and the session logged. This provides network administrators real-time notification and in-depth
analysis of potential data leaks.

Threat Blocking

Visits to malicious websites, or attempts to download malicious documents and software, can be detected and
blocked in real time by the InQuest ICAP server working in concert with a corporate proxy. InQuest's
comprehensive threat-detection rules, machine learning-based threat detection, and cloud intelligence are
brought to bear on each visited web page, document, and download. Security analysts are notified in real-time
of threats, and those threats can be immediately blocked.

Command and Control Detection

Once a system becomes infected with malware, the malicious software will often attempt to "phone home" by
contacting a command and control systems. These communication attempts may be to receive instructions on how
to attack other systems or to exfiltrate sensitive data. Web-based command and control traffic is detected and
blocked in real time by InQuest's ICAP solution, preventing data exfiltration and potentially halting further
compromise. Security analysts are notified in real time to provide instant visibility into command and control
communication.